diff --git a/policy-F13.patch b/policy-F13.patch
index 869c3c2..983b8dc 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -6219,7 +6219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.13/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.13/policy/modules/kernel/devices.if 2010-03-11 08:56:13.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/devices.if 2010-03-11 22:32:20.000000000 -0500
@@ -934,6 +934,42 @@
########################################
@@ -11965,7 +11965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-03-09 19:04:58.000000000 -0500
-+++ serefpolicy-3.7.13/policy/modules/services/apache.te 2010-03-11 08:56:13.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/apache.te 2010-03-12 08:45:37.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -12175,7 +12175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -290,9 +359,9 @@
+@@ -290,13 +359,14 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -12188,7 +12188,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -308,9 +377,11 @@
+-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
++manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
++files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+
+ manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -308,9 +378,11 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -12201,7 +12207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -319,18 +390,21 @@
+@@ -319,18 +391,21 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -12228,7 +12234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -342,15 +416,15 @@
+@@ -342,15 +417,15 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -12247,7 +12253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
-@@ -365,6 +439,10 @@
+@@ -365,6 +440,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -12258,7 +12264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_read_lib_files(httpd_t)
-@@ -379,18 +457,33 @@
+@@ -379,18 +458,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -12296,7 +12302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -398,32 +491,71 @@
+@@ -398,32 +492,71 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -12373,7 +12379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -431,14 +563,21 @@
+@@ -431,14 +564,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -12398,7 +12404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_ssi_exec',`
-@@ -463,7 +602,18 @@
+@@ -463,7 +603,18 @@
')
optional_policy(`
@@ -12417,7 +12423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -475,8 +625,24 @@
+@@ -475,8 +626,24 @@
')
optional_policy(`
@@ -12444,7 +12450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -484,22 +650,19 @@
+@@ -484,22 +651,19 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
@@ -12470,7 +12476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -510,12 +673,23 @@
+@@ -510,12 +674,23 @@
')
optional_policy(`
@@ -12494,7 +12500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -524,6 +698,11 @@
+@@ -524,6 +699,11 @@
')
optional_policy(`
@@ -12506,7 +12512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -551,6 +730,23 @@
+@@ -551,6 +731,23 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -12530,7 +12536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -580,20 +776,32 @@
+@@ -580,20 +777,32 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -12569,7 +12575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -611,23 +819,24 @@
+@@ -611,23 +820,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -12598,7 +12604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -640,6 +849,7 @@
+@@ -640,6 +850,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -12606,7 +12612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -647,22 +857,31 @@
+@@ -647,22 +858,31 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -12645,7 +12651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -688,16 +907,16 @@
+@@ -688,16 +908,16 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12666,7 +12672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -712,15 +931,29 @@
+@@ -712,15 +932,29 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -12698,7 +12704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -728,6 +961,35 @@
+@@ -728,6 +962,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12734,7 +12740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -740,6 +1002,10 @@
+@@ -740,6 +1003,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12745,7 +12751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -751,6 +1017,8 @@
+@@ -751,6 +1018,8 @@
# httpd_rotatelogs local policy
#
@@ -12754,7 +12760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -770,11 +1038,88 @@
+@@ -770,11 +1039,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -20420,7 +20426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.13/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.13/policy/modules/services/nut.te 2010-03-11 10:36:44.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nut.te 2010-03-11 16:49:45.000000000 -0500
@@ -29,7 +29,8 @@
# Local policy for upsd
#
@@ -20439,10 +20445,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)
-@@ -100,6 +102,10 @@
+@@ -100,6 +102,12 @@
miscfiles_read_localization(nut_upsmon_t)
++mta_send_mail(nut_upsmon_t)
++
+optional_policy(`
+ shutdown_domtrans(nut_upsmon_t)
+')
@@ -20450,7 +20458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
########################################
#
# Local policy for upsdrvctl
-@@ -123,6 +129,7 @@
+@@ -123,6 +131,7 @@
kernel_read_kernel_sysctls(nut_upsdrvctl_t)
# /sbin/upsdrvctl executes other drivers
@@ -20458,7 +20466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_urand(nut_upsdrvctl_t)
-@@ -149,5 +156,15 @@
+@@ -149,5 +158,15 @@
read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
@@ -27702,8 +27710,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.13/policy/modules/services/xserver.if 2010-03-11 13:51:57.000000000 -0500
-@@ -19,7 +19,7 @@
++++ serefpolicy-3.7.13/policy/modules/services/xserver.if 2010-03-11 22:31:52.000000000 -0500
+@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
@@ -27711,8 +27719,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
type iceauth_t, iceauth_exec_t, iceauth_home_t;
type xauth_t, xauth_exec_t, xauth_home_t;
++ class dbus send_msg;
')
-@@ -31,7 +31,7 @@
+
+ role $1 types { xserver_t xauth_t iceauth_t };
+@@ -31,7 +32,7 @@
allow xserver_t $2:shm rw_shm_perms;
domtrans_pattern($2, xserver_exec_t, xserver_t)
@@ -27721,7 +27732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t $2:shm rw_shm_perms;
-@@ -45,6 +45,7 @@
+@@ -45,6 +46,7 @@
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -27729,7 +27740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_search_tmp($2)
# Communicate via System V shared memory.
-@@ -56,6 +57,10 @@
+@@ -56,6 +58,10 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
@@ -27740,7 +27751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +76,10 @@
+@@ -71,9 +77,13 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -27749,10 +27760,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
+ dontaudit $2 xdm_tmp_t:dir setattr;
++
++ allow $2 xdm_t:dbus send_msg;
++ allow xdm_t $2:dbus send_msg;
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -94,9 +100,9 @@
+@@ -94,9 +104,9 @@
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
@@ -27763,7 +27777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -197,7 +203,7 @@
+@@ -197,7 +207,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -27772,7 +27786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -291,12 +297,12 @@
+@@ -291,12 +301,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -27788,7 +27802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +361,11 @@
+@@ -355,6 +365,11 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -27800,7 +27814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
##############################
-@@ -386,6 +397,14 @@
+@@ -386,6 +401,14 @@
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -27815,7 +27829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
#######################################
-@@ -476,6 +495,7 @@
+@@ -476,6 +499,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -27823,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -545,6 +565,9 @@
+@@ -545,6 +569,9 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -27833,7 +27847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -598,6 +621,7 @@
+@@ -598,6 +625,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -27841,7 +27855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +829,7 @@
+@@ -805,7 +833,7 @@
')
files_search_pids($1)
@@ -27850,7 +27864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1224,9 +1248,20 @@
+@@ -1224,9 +1252,20 @@
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -27871,7 +27885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1250,3 +1285,329 @@
+@@ -1250,3 +1289,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -30714,7 +30728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.13/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.13/policy/modules/system/ipsec.te 2010-03-11 08:56:13.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/ipsec.te 2010-03-12 08:40:36.000000000 -0500
@@ -29,9 +29,15 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
@@ -30795,6 +30809,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
+@@ -238,7 +257,7 @@
+
+ domain_use_interactive_fds(ipsec_mgmt_t)
+ # denials when ps tries to search /proc. Do not audit these denials.
+-domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
++domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
+ # suppress audit messages about unnecessary socket access
+ # cjp: this seems excessive
+ domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
@@ -247,8 +266,10 @@
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
@@ -30954,7 +30977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.13/policy/modules/system/libraries.fc 2010-03-11 08:56:13.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/libraries.fc 2010-03-12 08:53:21.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -31243,8 +31266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+
+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -31315,6 +31337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.13/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.13/policy/modules/system/libraries.if 2010-03-11 08:56:13.000000000 -0500
@@ -32872,7 +32895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.13/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.te 2010-03-11 15:14:13.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.te 2010-03-11 20:56:51.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -34552,7 +34575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.13/policy/modules/system/userdomain.if 2010-03-11 14:10:21.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/userdomain.if 2010-03-11 22:38:10.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -35392,7 +35415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r)
')
')
-@@ -871,45 +955,75 @@
+@@ -871,45 +955,76 @@
#
auth_role($1_r, $1_t)
@@ -35408,11 +35431,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ dev_dontaudit_read_rand($1_usertype)
+ # temporarily allow since openoffice requires this
+ dev_read_rand($1_usertype)
-
-- logging_send_syslog_msg($1_t)
++
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
-+
++ dev_rw_wireless($1_usertype)
+
+- logging_send_syslog_msg($1_t)
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_usertype)
+ fs_manage_noxattr_fs_dirs($1_usertype)
@@ -35483,7 +35507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -944,7 +1058,7 @@
+@@ -944,7 +1059,7 @@
#
# Inherit rules for ordinary users.
@@ -35492,7 +35516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -953,54 +1067,73 @@
+@@ -953,54 +1068,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -35557,16 +35581,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ gnomeclock_dbus_chat($1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ gpm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ execmem_role_template($1, $1_r, $1_t)
+ ')
+
@@ -35584,19 +35605,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
+ postfix_run_postdrop($1_t, $1_r)
-+ ')
-+
+ ')
+
+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1036,7 +1169,7 @@
+@@ -1036,7 +1170,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -35605,7 +35629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1071,6 +1204,9 @@
+@@ -1071,6 +1205,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -35615,7 +35639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1221,7 @@
+@@ -1085,6 +1222,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -35623,7 +35647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1120,6 +1257,8 @@
+@@ -1120,6 +1258,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -35632,7 +35656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1207,6 +1346,8 @@
+@@ -1207,6 +1347,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -35641,7 +35665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1272,11 +1413,15 @@
+@@ -1272,11 +1414,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -35657,7 +35681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1532,7 @@
+@@ -1387,6 +1533,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -35665,7 +35689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1579,14 @@
+@@ -1433,6 +1580,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -35680,7 +35704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1602,11 @@
+@@ -1448,9 +1603,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -35692,7 +35716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1663,42 @@
+@@ -1507,6 +1664,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -35735,7 +35759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Create directories in the home dir root with
-@@ -1581,6 +1773,8 @@
+@@ -1581,6 +1774,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -35744,7 +35768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1789,12 @@
+@@ -1595,10 +1790,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -35759,7 +35783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1837,24 @@
+@@ -1641,6 +1838,24 @@
########################################
##
@@ -35784,7 +35808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1692,6 +1906,7 @@
+@@ -1692,6 +1907,7 @@
type user_home_dir_t, user_home_t;
')
@@ -35792,7 +35816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +1923,14 @@
+@@ -1708,11 +1924,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -35810,7 +35834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1819,20 +2037,14 @@
+@@ -1819,21 +2038,15 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -35824,18 +35848,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
##
-@@ -1866,6 +2078,7 @@
+ ## Do not audit attempts to execute user home files.
+@@ -1866,6 +2079,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -35843,7 +35868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2315,25 @@
+@@ -2102,6 +2316,25 @@
########################################
##
@@ -35869,7 +35894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
##
-@@ -2218,6 +2450,25 @@
+@@ -2218,6 +2451,25 @@
########################################
##
@@ -35895,7 +35920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
##
-@@ -2427,13 +2678,14 @@
+@@ -2427,13 +2679,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -35911,7 +35936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2787,7 +3039,7 @@
+@@ -2787,7 +3040,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -35920,7 +35945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3055,13 @@
+@@ -2803,11 +3056,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -35936,7 +35961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3198,7 @@
+@@ -2944,7 +3199,7 @@
type user_tmp_t;
')
@@ -35945,7 +35970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3235,7 @@
+@@ -2981,6 +3236,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -35953,7 +35978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3366,745 @@
+@@ -3111,3 +3367,745 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8cd9628..51e2878 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.13
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,11 @@ exit 0
%endif
%changelog
+* Fri Mar 12 2010 Dan Walsh 3.7.13-4
+- Allow users to dbus chat with xdm
+- Allow users to r/w wireless_device_t
+- Dontaudit reading of process states by ipsec_mgmt
+
* Thu Mar 11 2010 Dan Walsh 3.7.13-3
- Fix openoffice from unconfined_t